I’m fantasizing right now about how to hook a handful of disparate projects together with exactly one login file. Recycle-A-Bicycle is hosted on Mayfirst/People Link, which uses a cool system called Red to manage most hosting account related fun. They’re generating system users with Red, so shell accounts, email, and account management share one password per user. So far so good, but we’re using MediaWiki to manage a lot of internal documents (protocols, task lists) and we’ve built our website in Drupal, withCiviCRM to manage contact information. We’ve also got a staff calendar set up using Calcium, which is great but non-free. I may migrate us away from Calcium, but in the grand scheme of proprietary software companies, you could do worse than these very nice Alaskans.
What I really, really want, is for everyone to be able to use exactly one password to access their email, the website, the calendar and the wiki. I think that users choosing their own passwords is key to good security because otherwise you have people writing things down and otherwise defeating your thoughtful protocols, but I can already see that folks are anxious about all the different logins in place and I’m pretty sure there is a way to hook all these things together in one fell swoop. I just don’t know what it is. LDAP? OpenID?
Since a friend just asked me about hooking PHPbb logins to Drupal, I know I’m not the only one trying to figure this out.
Don’t suppose you know?
Comments
You’re looking for the Holy Grail. :)
Integrating this stuff is doable but I’ve only ever seen it succeed well in very, very small and very, very large scales.
There are actually quite a few levels to this and appropriate tools for each level — and often ideal tools that don’t entirely exist yet (e.g., OpenID integration everywhere).
One layer is simply the username / password store from which you can authenticate users. Most of the systems you mention have hooks (or can be hacked) to check passwords from somewhere other than their internal store — but the process of creating/editing users and the tool allowing users to change their passwords can be tricky. You might be able to pull this off for most of the above apps you listed, and using a central LDAP directory with a web interface to allow users to change their passwords in the directory would probably be sufficient. Not beautifully integrated, but sufficient. (You can also do things like authenticate over IMAP so, for example, if you *know* every user has an IMAP account and you don’t want to do other fancy LDAP-y things, that might be simpler to implement).
Another layer are permission systems (who has access to what), which given the scale you’re looking at would likely be entirely unmanageable in an integrated way — best to just let each system manage permission control (e.g., who can create a page in Drupal).
Lastly, for web apps, you have the cookie/session issue. Ideally, if users log in to one web app they’re logged in to all of them. There are tricks to make web apps share sessions but every app you add makes it more complicated.
Also, I just stumbled into this http://drupal.org/project/phpbb.
This is the kind of thing I like to think alot about since it’s actually really, really hard but really, really desirable, so if you’re up for a techie dinner to talk about identity, authorization and authentication in small to mid open source organizations … I’m down. :)
Hi Amanda,
I have a solution for your problem!
Try Clipperz, a newly launched online password manager.
The most attractive feature for you are “direct logins”. An effective and flexible single sign-on solution. Take a look at this video tutorial.
And also try the Clipperz version designed for the Firefox sidebar: Clipperz Compact.
I would love to know your opinion of Clipperz, no matter if privately or on your blog.
Best regards,
Marco
Clipperz co-founder
PS
Congratulations for the Recycle-A-Bicycle initiative! Bicycle commuting is great!
Clipperz looks handy, but I’m not sure I want to store password information on an external system. Actually, I’m sure I don’t want to.
Even if I did trust you, personally, it violates some other fundamental principle of security training, to say to users “it is your responsibility to keep your password private, but here is a public service where you can hang your keyring”. It is sort of like saying “okay, first, eat no sugar. Now, before we get to item two, does anyone want a ginger candy?”